The present invention, in some embodiments thereof, relates to managing connections to target systems, and, more particularly, but not exclusively, to managing connections to target systems on a per connection basis.
Current schemes for managing user access to targets typically are implemented in a global manner. The access policies are applied to the target system, to a user or group of users. For example, the remote desk protocol (RDP) enables a user client to redirect resources such as clipboard, local drives and printers to the target server. If the administrator does not want the user to have these abilities, the administrator may configure the target server to prevent these actions. However, the limitations will apply to all the RDP connections to the machine. Thus in order to prevent clipboard redirection to a target machine by a specific user, the administrator needs to prevent clipboard redirection from all the users that connects to that target machine via RDP.
Current solutions to the problem include:
1) Signing the RDP file in order to protect against the connection settings tampering—In a typical Remote Desktop Web Access implementation, the web server provides an RDP file to the client so the user may establish a remote desktop connection to a remote server. The RDP file contains a collection of settings that will be sent later to the remote server. In order for the client to determine the legitimacy of the RDP file content sent by the web server, the web server adds a digital signature to the RDP file. The client verifies the content of the RDP file using the digital signature. The client may remove the digital signature from the RDP file and tamper with its contents. This approach mainly protects the user client.
2) Configuring a policy over the RDP server—The administrator configures a policy that is enforced using specific connection settings. The policy may be local (apply to a specific machine) or be for the entire domain. In both approaches, the policy applies to all the connections.